Procurement Language for Supply Chain Cyber Assurance

Size: px
Start display at page:

Download "Procurement Language for Supply Chain Cyber Assurance"

Transcription

1 Procurement Language for Supply Chain Cyber Assurance

2 Procurement Language for Supply Chain Cyber Assurance Introduction For optimal viewing of this PDF, please view in Adobe Acrobat. This document serves as a minimal set of requirements for any supplier providing network-connectable software, systems, or devices as part of a contractual bid to. A description of the required methods by which features and functions of network-connectable devices are expected to be evaluated at the product level and tested for known vulnerabilities and software security weaknesses while also establishing a minimum set of verification activities intended to reduce the likelihood of exploitable weaknesses that could be vectors of zeroday exploits that may affect the device are articulated throughout this document. While this document serves as a minimal set of requirements, expects that suppliers will remain conscious of the dynamic nature of cybersecurity and provide incremental improvements as needed, which shall consider for inclusion in future versions of this document. Suppliers shall be required to provide with any and all requested artifacts as evidence that the supplier is in compliance with stated requirements. Scope These requirements applies to (but is not limited to) the following: Application Software Embedded Software Firmware Drivers Middleware Operating Systems The requirements in this document are derived from various industry standards, guidelines, and other documents including, but not limited to: IEC ISO NIST SP NIST SP DHS Cyber Security Procurement Language for Control Systems ISA EDSA FIPS Common Criteria Smartcard IC Platform Protection Profile Mayo Clinic Technology and Security Requirements Procurement Language UL 2900 The requirements in this document apply to devices, software or software services that will be referred to as product throughout this document. The product can be connected to a network (public or private) and may be used as part of a system. These requirements are applicable to products that contain software where unauthorized access or operation, either intentional or through misuse, of the product can impact safety, privacy, loss of data and compromise operational risks Synopsys 2

3 Glossary of Terms Robustness Test Tool specialized test tool that performs both Resource Exhaustion Tests and Invalid messages tests. Data Resource Exhaustion Tests Tests that try to exhaust a particular data handling resource of the product. An example is a test that tries to create as many concurrent TCP connections as possible. Invalid Messages Tests Tests that send incorrect data messages to the product. These messages are incorrectly structured in that they do not conform to protocol specifications either based on the structure of the message or compliance to the protocol specification. Known Vulnerability Scanner specialized test tool that performs known vulnerability scans off of a published vulnerability database Known Vulnerability vulnerability is an undocumented feature or defect which allows an outside entity to compromise the intended use and function of the product. A known vulnerability has been publicly disclosed and is typically present on a public database, such as the NIST National Vulnerability Database. Malware hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Communication Protocol Fuzz Testing the ability to transmit valid and invalid messages to the product. This allows the ability to test the product to identify any vulnerabilities that are unknown that can be uncovered by malformed inputs to the product. Static Analysis a process where a program s source code or its binary code is analyzed without executing the code. Static code analysis has the ability to examine and process source code files for security weaknesses and to identify potential vulnerabilities. Static binary analysis has the ability to examine and process compiled binaries for software components and known vulnerabilities in those components. Common Vulnerabilities and Exposures (CVE ) CVEs common names and identifiers for publicly know information security vulnerabilities Common Weakness Enumerations (CWE ) CWEs are defined software weaknesses related to architecture and design of the software. Binary Code defines machine instructions for a specific family of processor architecture Byte Code instructions that are created from source code as an intermediate step before generating machine instructions. Byte code is independent of specific processor architecture. Dynamic Runtime Analysis is the ability to examining the how the software behaves while it is executing or in operation. Penetration Testing is a mechanism of evaluation of a product, system, network or organization to identify vulnerabilities and security flaws and possibly exploit the flaws and vulnerabilities with the intent to penetrate the product, system, network and/ or organization security. The intent is to circumvent or defeat the security measures of the product. Penetration testing is a largely undefined field of study that requires specialized skills found in penetration testing professionals. Supplier The organization supplying a product or service to. Code Signing The process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash. Requirements The requirements section of this document will be broken out into the following sections: 1. Product Development Specification and Policy 2. Security Program 3. System Protection and Access Control 4. Product Testing and Verification 5. Deployment and Maintenance 3

4 The word shall precedes all requirements to indicate that they are normative. The word Note: precedes statements that are explanatory or informative. 1. Product Development Specification and Policy Supplier shall represent and warrants that it has established and implements security standards and processes that must be adhered to during all equipment and product development activities, with such security standards being designed to address potential security incidents, product vulnerability to unauthorized access, loss of functions, malware intrusion, or any other compromise to confidentiality, integrity, or availability. Supplier shall represent that its security standards practices contain include testing procedures and tools designed to ensure the security and non-vulnerability of all products and equipment. Supplier shall warrant that it will, for all products and equipment, implement failsafe features that protect the product s critical functionality, even when the product s security has been compromised. Supplier shall provide with a written copy of its Development Security Standards upon request and shall allow personnel, or a third-party identified by to view and assesses the standards. Supplier represents and warrants that, with respect to all of its products (as applicable), it meets and complies with all cyber-security guidelines and similar requirements and standards promulgated by any applicable regulatory body, where present. Supplier can provide a third-party assessment of organization s product development as a validation of the process employed. 2. Security Program Supplier shall represent and warrant that it has developed and continues to maintain a comprehensive written security program that contains administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of all of s systems and data. Supplier represents and warrants that all audits and reports, produced as part of its written security program and all reports required to be produced or made available to are able to be exported and delivered in electronic format. The supplier s written security program shall include, but may not be limited to: a. Identifying and assessing reasonably foreseeable internal and external risks to the availability, security, confidentiality, and/ or integrity of any and all supplier products, systems, servers, equipment, software, electronic, paper or other records. The written security policy shall include means of evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such supplied product(s) vulnerability and risks, including but not limited to: i. Ongoing employee (including temporary and contract employee) training; ii. Employee compliance with policies and procedures; and iii. Means for testing for, detecting and preventing security system failures on an ongoing basis. b. Regular monitoring to ensure that the written security policy is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of s systems and data, or any compromise in confidentiality, integrity, or availability of s systems and data. c. Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of supplier products containing or which may access or be used to access s networks, systems and data, or compromise the confidentiality, integrity, or availability of s systems and data. d. Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory postincident review of events and actions taken, if any, to make changes in business practices relating to protection of. e. Supplier can provide a third-party assessment of organization s security program as a validation of the process employed. 3. System Protection and Access Control Supplier shall demonstrate that s systems and data are protected by appropriate network security controls that prevent 4

5 unauthorized access by providing with network diagrams of supplier s environment used to provide products, equipment, maintenance and services to. a. Supplier infrastructure - Supplier shall warrant that an incident response mechanism is in place for unauthorized access or disclosure of technology and assets on the supplier infrastructure. Supplier shall have an approved C level process for notification to of unauthorized access or disclosure of technology and assets on the supplier infrastructure that may impact business operations of products and services delivered to. b. Supplier shall provide with a standard operating procedure for securing suppliers technology assets with independent evaluation and assessment where applicable and a management audit of said standard operating procedure annually. c. Communications between supplier and shall be performed with a secure mechanism. Supplier shall provide operating procedures for secure mechanism to ensure no unauthorized access or disclosure of technology and assets. d. All supplier products and services that have the capability to perform remote system maintenance, software upgrades, troubleshooting and diagnostics shall provide technical documentation on these capabilities which shall have the following at a minimum: i. Strong authentication mechanisms for access to products and services ii. Mechanism to perform any remote software downloads are: 1. Validated as an uncompromised supplier deliverable 2. Validated as an unaltered supplier deliverable 3. Validated that only that action is performed 4. Validated that it does not provide access to any other systems except for the purpose of updating the software to a supplier deliverable iii. Ability to prevent the introduction of any unwanted activity unauthorized by the supplier e. Supplier agrees that no external access to their internal networks and systems, will be permitted unless strong authentication and encryption is used for such access. Supplier represents and warrants that all internet and network communications will be encrypted and authenticated. Any necessary external communications for purposes of service or maintenance functions to be performed by supplier will be encrypted and will utilize multi-factor authentication to access any and all devices, equipment and/or applications. Supplier shall maintain an access control list for all access to the internal network from an external network and supplier agrees that any of its servers exposed to the internet that contain data or access systems run on a hardened operation system. 4. Product Testing and Verification Supplier shall perform a vulnerability assessment for any or all products that will be provided to as part of a contractual agreement, including scanning, and penetration testing by a tester of s choosing (or a tester selected by supplier and approved by ) or, in s discretion, personnel may perform such vulnerability assessment, all at no cost to. Supplier represents and warrants that it performs security testing and validation for all of its products, and that all security testing performed by supplier covers all issues noted in the SANS/CWE Top 25 and OWASP Top 10 documentation, and shall include a vulnerability scan encompassing all ports and protocols. Supplier shall provide with a test plan for all tests performed for review and approval by. The testing shall include, but not be limited to: a. Communication Robustness Testing This shall include, at a minimum, communication protocol fuzz testing to determine the ability to properly handle malformed and invalid messages for all identified communication protocols in the supplier product, as well as data resource exhaustion tests (aka load 5

6 testing and DoS testing ). Communication robustness testing shall be performed using tools that are approved by, and that produce machine-readable data. b. Software Composition Analysis This shall include, at a minimum, an analysis of all compiled code found in the supplier product and shall identify all third-party open source components, and shall, at a minimum, identify all known vulnerabilities found in the Common Vulnerabilities and Exposures (CVE ) in publicly available databases. Software composition analysis shall be performed using tools that are approved by, and that produce machine-readable data. c. Static Source Code Analysis This shall include, at a minimum, an analysis of all available source code found in the supplier product and shall identify weaknesses enumerated by Common Weakness Enumeration (CWE ). Static source code analysis shall be performed using tools that are approved by and that produce machine-readable data. All CWE Top 25 and OWASP Top 10 issues that have not been remediated must be clearly documented as an exception. d. Dynamic Runtime Analysis This shall include, at a minimum, an analysis of how the supplier provided software behaves during operation and whether such behavior introduces potential security vulnerabilities that could negatively impact confidentiality, integrity, and availability. e. Known Malware Analysis This shall include, at a minimum, a scan of supplier provided software to determine if any known malware exists in the supplier provided software and a risk assessment on mitigation controls or value of risk. f. Bill of Materials The supplier shall provide a bill of materials that clearly identifies all known third-party software components contained in the supplier product. This shall be provided in a machine-readable format. g. Validation of Security Measures All security measures described in the product s design documentation are properly implemented and mitigate the risks associated with use of the component or device. h. Third-Party Penetration Test The supplier shall provide with the results of a penetration test performed by a third-party penetration tester. may, at their discretion, recommend a penetration tester of their choosing. The third-party penetration test shall, at a minimum, but not limited to, determine the following: i. All ports and interfaces that the product has enabled and disabled for all configurations. ii. All services that are external to the product for all configurations of the product. The test shall determine operational, service, test and non-functional services of the product. iii. Measures implemented to prevent denial of service attacks on all ports, interfaces and services. iv. All ports, interfaces, and services are documented and that there exists no undocumented port, interface or service. v. All ports, interfaces and services that require authentication shall meet the requirements of the authentication section in the companion standard for the product ecosystem. vi. Vulnerabilities in the product are probed and provide conceptual exploits to attack the vulnerability. vii. Software and hardware weaknesses that are identified in the product that are in SANS WE Top 25 and OWASP Top 10 and/or otherwise negatively impact confidentiality, availability and integrity of the supplier product. i. Risk Assessment The supplier shall provide with a threat model and subsequent risk assessment that includes, at a minimum, but is not limited to: i. Risk criteria used to evaluate the significance of risk, including the level at which risk becomes acceptable. ii. Risk identification, including (but not limited to) all known vulnerabilities identified through testing and all software weaknesses per SANS WE Top 25 and OWASP Top 10 publicly available lists. 6

7 iii. Risk analysis, including consideration of the causes and sources of the risks and their consequences. iv. Risk evaluation, comparing the level of risk found during the analysis process with the established risk criteria to determine the acceptability of the risks. v. Additional risk control measures shall be implemented to address all known vulnerabilities and software weaknesses that have been determined to present an unacceptable level of risk. 5. Deployment and Maintenance Supplier shall provide with detailed installation, deployment, and configuration instructions, and, at the request of assistance in installation, deployment, and configuration that supplier warrants meets the expected security context resulting from meeting the requirements in this document. All supplied software products shall be authenticated through code signing. Supplier shall provide with a stated lifecycle of supplied product and shall provide with a maintenance plan that addresses both current and legacy products provided to. Supplier shall provide, at a minimum, but not be limited to, the following: a. Ongoing Vulnerability Assessment Supplier shall periodically apply all previously listed vulnerability assessment testing to the supplied products at a frequency of no less than once annually, and report any newly discovered vulnerabilities to within 15 days of being discovered. b. Patch Management and Deployment Supplier shall design all products with the ability to apply patches when needed and shall provide with the patch management plan. Supplier shall provide with tested, verified, and validated patches in a timely manner, to not exceed 90 days for any vulnerabilities found in SANS WE Top 25 and OWASP Top 10, or any vulnerabilities deemed critical by. All patches and provided updates shall be authenticated through code signing. c. Updates to Bill of Materials Supplier shall provide with an updated bill of materials per the previously stated requirement for any changes resulting from product updates, patches, etc. d. End of Life Supplier shall provide with a disposition plan for all software that has reached the supplier stated end of life. This plan shall include, at a minimum, but may not be limited to: i. Uninstallation instructions ii. Removing of confidential information (e.g. data and keys) iii. Transition plan to updated version of supplier product iv. Supplier warrant that expected security context remains intact About Synopsys Synopsys, Inc. (Nasdaq:SNPS) is the Silicon to Software partner for innovative companies developing the electronic products and software applications we rely on every day. As the world s 15th largest software company, Synopsys has a long history of being a global leader in electronic design automation (EDA) and semiconductor IP, and is also growing its leadership in software quality and security solutions. Whether you re a system-on-chip (SoC) designer creating advanced semiconductors, or a software developer writing applications that require the highest quality and security, Synopsys has the solutions needed to deliver innovative, high-quality, secure products. The company is headquartered in Mountain View, California, and has approximately 113 offices located throughout North America, South America, Europe, Japan, Asia and India. Synopsys Inc. 185 Berry Street, Suite 6500 San Francisco, CA USA U.S. Sales: (800) International Sales: +1 (415) sales@coverity.com, Inc. All rights reserved. The registered trademarks of Synopsys used herein are registered in the U.S. and other countries. All other company and product names are the property of their respective owners.

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

Technical Guidance and Examples

Technical Guidance and Examples Technical Guidance and Examples DRAFT CIP-0- Cyber Security - Supply Chain Risk Management January, 0 NERC Report Title Report Date I Table of ContentsIntroduction... iii Background... iii CIP-0- Framework...

More information

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems Copyright 2018 UL LLC. All rights reserved. No portion of this material may be reprinted in any form without the express written

More information

IoT & SCADA Cyber Security Services

IoT & SCADA Cyber Security Services RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au

More information

ADIENT VENDOR SECURITY STANDARD

ADIENT VENDOR SECURITY STANDARD Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational

More information

Information Security Policy

Information Security Policy April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING

More information

Security analysis and assessment of threats in European signalling systems?

Security analysis and assessment of threats in European signalling systems? Security analysis and assessment of threats in European signalling systems? New Challenges in Railway Operations Dr. Thomas Störtkuhl, Dr. Kai Wollenweber TÜV SÜD Rail Copenhagen, 20 November 2014 Slide

More information

A company built on security

A company built on security Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for

More information

An ICS Whitepaper Choosing the Right Security Assessment

An ICS Whitepaper Choosing the Right Security Assessment Security Assessment Navigating the various types of Security Assessments and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding the available

More information

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government The Key Principles of Cyber Security for Connected and Automated Vehicles Government Contents Intelligent Transport System (ITS) & Connected and Automated Vehicle (CAV) System Security Principles: 1. Organisational

More information

Cyber Security for Process Control Systems ABB's view

Cyber Security for Process Control Systems ABB's view Kaspersky ICS Cybersecurity 2017, 2017-09-28 Cyber Security for Process Control Systems ABB's view Tomas Lindström, Cyber Security Manager, ABB Control Technologies Agenda Cyber security for process control

More information

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016 For Discussion Purposes Only Technical Reference [Draft] DRAFT CIP-013-1 Cyber Security - Supply Chain Management November 2, 2016 Background On July 21, 2016, the Federal Energy Regulatory Commission

More information

AUTHORITY FOR ELECTRICITY REGULATION

AUTHORITY FOR ELECTRICITY REGULATION SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...

More information

ISASecure SSA Certification for DeltaV and DeltaV SIS

ISASecure SSA Certification for DeltaV and DeltaV SIS ISASecure SSA Certification for DeltaV and DeltaV SIS Frequently Asked Questions This FAQ addresses questions around the scope and relevance of the ISASecure System Security Assurance certification applied

More information

Juniper Vendor Security Requirements

Juniper Vendor Security Requirements Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks

More information

Protecting your data. EY s approach to data privacy and information security

Protecting your data. EY s approach to data privacy and information security Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share

More information

HP Standard for Information Protection and Security for Suppliers/Partners

HP Standard for Information Protection and Security for Suppliers/Partners HP Standard 14-04 for Information Protection and Security for Suppliers/Partners Document Identifier HX-00014-04 Revision and Date D, 01-Oct 2017 Last Re-validation date Abstract This standard describes

More information

External Supplier Control Obligations. Cyber Security

External Supplier Control Obligations. Cyber Security External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place

More information

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management Joe Jarzombek, PMP, CSSLP Director for Software & Supply

More information

Baseline Information Security and Privacy Requirements for Suppliers

Baseline Information Security and Privacy Requirements for Suppliers Baseline Information Security and Privacy Requirements for Suppliers INSTRUCTION 1/00021-2849 Uen Rev H Ericsson AB 2017 All rights reserved. The information in this document is the property of Ericsson.

More information

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements

More information

Choosing the Right Security Assessment

Choosing the Right Security Assessment A Red Team Whitepaper Choosing the Right Security Navigating the various types of Security s and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding

More information

The Common Controls Framework BY ADOBE

The Common Controls Framework BY ADOBE The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.

More information

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf

More information

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-2 3 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:

More information

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities

More information

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains

More information

The Honest Advantage

The Honest Advantage The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents

More information

Continuous protection to reduce risk and maintain production availability

Continuous protection to reduce risk and maintain production availability Industry Services Continuous protection to reduce risk and maintain production availability Managed Security Service Answers for industry. Managing your industrial cyber security risk requires world-leading

More information

Seqrite Endpoint Security

Seqrite Endpoint Security Enterprise Security Solutions by Quick Heal Integrated enterprise security and unified endpoint management console Enterprise Suite Edition Product Highlights Innovative endpoint security that prevents

More information

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11 AUDITING ROBOTICS AND THE INTERNET OF THINGS (IOT) APRIL 9, 2018 PRESENTERS Kara Nagel Manager, Information Security Accenture Ryan Hopkins Assistant Director, Internal Audit Services Packaging Corp. of

More information

Guide to cyber security/cip specifications and requirements for suppliers. September 2016

Guide to cyber security/cip specifications and requirements for suppliers. September 2016 Guide to cyber security/cip specifications and requirements for suppliers September 2016 Introduction and context The AltaLink cyber security/cip specification and requirements for suppliers (the standard)

More information

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC

More information

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool Contact Ashley House, Ashley Road London N17 9LZ 0333 234 4288 info@networkiq.co.uk The General Data Privacy Regulation

More information

Red Flags/Identity Theft Prevention Policy: Purpose

Red Flags/Identity Theft Prevention Policy: Purpose Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and

More information

Security Solutions. Overview. Business Needs

Security Solutions. Overview. Business Needs Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.

More information

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS

More information

Security Principles for Stratos. Part no. 667/UE/31701/004

Security Principles for Stratos. Part no. 667/UE/31701/004 Mobility and Logistics, Traffic Solutions Security Principles for Stratos Part no. THIS DOCUMENT IS ELECTRONICALLY APPROVED AND HELD IN THE SIEMENS DOCUMENT CONTROL TOOL. All PAPER COPIES ARE DEEMED UNCONTROLLED

More information

Objectives of the Security Policy Project for the University of Cyprus

Objectives of the Security Policy Project for the University of Cyprus Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University

More information

Standard Development Timeline

Standard Development Timeline Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions

More information

Session 5311 Critical Testing Programs for Security Operations

Session 5311 Critical Testing Programs for Security Operations Session 5311 Critical Testing Programs for Security Operations Introduction Neil Lakomiak UL Rodney Thayer Smithee Spelvin Agnew & Plinge, Inc. Coleman Wolf Environmental Systems Design, Inc. Testing Programs

More information

Cyber Security Program

Cyber Security Program Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by

More information

Total Security Management PCI DSS Compliance Guide

Total Security Management PCI DSS Compliance Guide Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to

More information

_isms_27001_fnd_en_sample_set01_v2, Group A

_isms_27001_fnd_en_sample_set01_v2, Group A 1) What is correct with respect to the PDCA cycle? a) PDCA describes the characteristics of information to be maintained in the context of information security. (0%) b) The structure of the ISO/IEC 27001

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy 1. Purpose The purpose of this policy is to outline the acceptable use of computer equipment at Robotech CAD Solutions. These rules are in place to protect the employee and Robotech

More information

10 FOCUS AREAS FOR BREACH PREVENTION

10 FOCUS AREAS FOR BREACH PREVENTION 10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center Security Notifications No: Effective: OSC-10 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication

More information

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager with the IEC 62443-4-2 Standard What You Should Know Vance Chen Product Manager Industry Background As the Industrial IoT (IIoT) continues to expand, more and more devices are being connected to networks.

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

existing customer base (commercial and guidance and directives and all Federal regulations as federal) ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of

More information

EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1

EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1 EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1 EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD ICTN 6823 BOYD AARON SIGMON EAST CAROLINA UNIVERSITY EFFECTIVE VULNERABILITY MANAGEMENT USING

More information

Cybersecurity Technical Risk Indicators:

Cybersecurity Technical Risk Indicators: Cybersecurity Technical Risk Indicators: A Measure of Technical Debt Joe Jarzombek, CSSLP, PMP Global Manager, Software Supply Chain Solutions Synopsys Software Integrity Group Previously Director, Software

More information

American Association for Laboratory Accreditation

American Association for Laboratory Accreditation R311 - Specific Requirements: Federal Risk and Authorization Management Program Page 1 of 10 R311 - Specific Requirements: Federal Risk and Authorization Management Program 2017 by A2LA. All rights reserved.

More information

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Description of Current Draft

More information

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

NYDFS Cybersecurity Regulations: What do they mean? What is their impact? June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing

More information

Security Architecture

Security Architecture Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to

More information

Computer Security Policy

Computer Security Policy Administration and Policy: Computer usage policy B 0.2/3 All systems Computer and Rules for users of the ECMWF computer systems May 1995 Table of Contents 1. The requirement for computer security... 1

More information

INTERNATIONAL STANDARD

INTERNATIONAL STANDARD INTERNATIONAL STANDARD ISO/IEC 27039 First edition 2015-02-15 Corrected version 2016-05-01 Information technology Security techniques Selection, deployment and operations of intrusion detection and prevention

More information

MIS Week 9 Host Hardening

MIS Week 9 Host Hardening MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls

More information

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business

More information

TRACKVIA SECURITY OVERVIEW

TRACKVIA SECURITY OVERVIEW TRACKVIA SECURITY OVERVIEW TrackVia s customers rely on our service for many mission-critical applications, as well as for applications that have various compliance and regulatory obligations. At all times

More information

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core PCI PA - DSS Point ipos Implementation Guide Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core Version 1.02 POINT TRANSACTION SYSTEMS AB Box 92031,

More information

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3 WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3 ABSTRACT This white paper is Part 2 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy 1. Overview The Information Technology (IT) department s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Quincy College s established

More information

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT ENERGY AUTOMATION - SMART GRID Restricted Siemens AG 20XX All rights reserved. siemens.com/answers Frederic Buchi, Energy Management Division, Siemens AG Cyber

More information

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:

More information

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Signature Repository A Signature Repository provides a group of signatures for use by network security tools such

More information

Education Network Security

Education Network Security Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or

More information

Vol. 1 Technical RFP No. QTA0015THA

Vol. 1 Technical RFP No. QTA0015THA General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS) Core Infrastructure IPSS Concept of Operations Per the IPSS requirements, we provide the ability to capture and store packet

More information

Carbon Black PCI Compliance Mapping Checklist

Carbon Black PCI Compliance Mapping Checklist Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and

More information

Information Technology General Control Review

Information Technology General Control Review Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor

More information

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices March 6, 2019 Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices On July 21, 2016, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability

More information

Coverity Static Analysis Support for MISRA Coding Standards

Coverity Static Analysis Support for MISRA Coding Standards Coverity Static Analysis Support for MISRA Coding Standards Fully ensure the safety, reliability, and security of software written in C and C++ Overview Software is eating the world. Industries that have

More information

IT ACCEPTABLE USE POLICY

IT ACCEPTABLE USE POLICY CIO Signature Approval & Date: IT ACCEPTABLE USE POLICY 1.0 PURPOSE The purpose of this policy is to define the acceptable and appropriate use of ModusLink s computing resources. This policy exists to

More information

TAN Jenny Partner PwC Singapore

TAN Jenny Partner PwC Singapore 1 Topic: Cybersecurity Risks An Essential Audit Consideration TAN Jenny Partner PwC Singapore PwC Singapore is honoured to be invited to contribute to the development of this guideline. Cybersecurity Risks

More information

Ensuring System Protection throughout the Operational Lifecycle

Ensuring System Protection throughout the Operational Lifecycle Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service

More information

Building Secure Systems

Building Secure Systems Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission

More information

CCISO Blueprint v1. EC-Council

CCISO Blueprint v1. EC-Council CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance

More information

Cybersecurity: Incident Response Short

Cybersecurity: Incident Response Short Cybersecurity: Incident Response Short August 2017 Center for Development of Security Excellence Contents Lesson 1: Incident Response 1-1 Introduction 1-1 Incident Definition 1-1 Incident Response Capability

More information

Chapter 5: Vulnerability Analysis

Chapter 5: Vulnerability Analysis Chapter 5: Vulnerability Analysis Technology Brief Vulnerability analysis is a part of the scanning phase. In the Hacking cycle, vulnerability analysis is a major and important part. In this chapter, we

More information

Cyber Hygiene: A Baseline Set of Practices

Cyber Hygiene: A Baseline Set of Practices [DISTRIBUTION STATEMENT A] Approved for public Cyber Hygiene: A Baseline Set of Practices Matt Trevors Charles M. Wallen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright

More information

NIST Special Publication

NIST Special Publication DATASHEET NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations Mapping for Carbon Black BACKGROUND The National Institute of Standards and Technology

More information

University of Pittsburgh Security Assessment Questionnaire (v1.7)

University of Pittsburgh Security Assessment Questionnaire (v1.7) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided

More information

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies

More information

Nebraska CERT Conference

Nebraska CERT Conference Nebraska CERT Conference Security Methodology / Incident Response Patrick Hanrion Security Center of Excellence Sr. Security Consultant Agenda Security Methodology Security Enabled Business Framework methodology

More information

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH 1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas &

More information

Cybersecurity Auditing in an Unsecure World

Cybersecurity Auditing in an Unsecure World About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity

More information

WHITEPAPER. Security overview. podio.com

WHITEPAPER. Security overview. podio.com WHITEPAPER Security overview Podio security White Paper 2 Podio, a cloud service brought to you by Citrix, provides a secure collaborative work platform for team and project management. Podio features

More information

Data Security and Privacy Principles IBM Cloud Services

Data Security and Privacy Principles IBM Cloud Services Data Security and Privacy Principles IBM Cloud Services 2 Data Security and Privacy Principles: IBM Cloud Services Contents 2 Overview 2 Governance 3 Security Policies 3 Access, Intervention, Transfer

More information

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced

More information

Google Cloud & the General Data Protection Regulation (GDPR)

Google Cloud & the General Data Protection Regulation (GDPR) Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to

More information

Jacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope

Jacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope Jacksonville State University Acceptable Use Policy 1. Overview Information Technology s (IT) intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Jacksonville

More information

Monthly Cyber Threat Briefing

Monthly Cyber Threat Briefing Monthly Cyber Threat Briefing January 2016 1 Presenters David Link, PM Risk and Vulnerability Assessments, NCATS Ed Cabrera: VP Cybersecurity Strategy, Trend Micro Jason Trost: VP Threat Research, ThreatStream

More information

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected. I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To

More information

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY Published By: Fusion Factor Corporation 2647 Gateway Road Ste 105-303 Carlsbad, CA 92009 USA 1.0 Overview Fusion Factor s intentions for publishing an

More information